gluu-blog

4 Learnings: DPGA Meeting 2023

I attended the DPGA annual meeting in Addis Ababa, Ethiopia. It was my first time meeting in person many of the people in that community and learning about the laudable goals of the DPG Alliance initiatives. The meeting was opened by Yodahe Zemichael , who leads the National ID Program Office in Ethiopia, and shared his insights based on their recent successful rollout. The plenary was followed by tracks on digital public infrastructure, global challenges, sustainability, and safeguards. At the conclusion of the meeting, participants were asked to jot down some key takeaways from the meeting. This list is not comprehensive, but it reflects a few things I was thinking about at the end of our time together.

One: Open Source Software ecosystems

As a DPG product owner, my biggest concern was regarding a mis-alignment on how to fund the continued maintenance and innovation of DPG open source software. The pervasive sentiment among DPGA members is that open source software should be free of cost. This sentiment is promulgated by some DPGA leadership. For example, at the closing plenary, Lucy Harris from the DPGA Secretariat said that open source software should be “freely available”, by which she meant that it should not cost anything. It’s important to align the incentives with the desired outcomes. For DPG software, the activity we need to incentivize is continued maintenance (the boring stuff that still needs to be done) and innovation. If the software is free, the result we’ll get is less innovation, less security, and less of everything else that comprises the product (documentation, training, deployment assets, community engagement, QA, etc). Donations are helpful but not sustainable in the long term, and not necessarily proportional to the usage of the software. Donations also rely on the technical enlightenment of the funders to make the right investments. A better solution is for each DPGA project to publish a metric for intrinsic value measurement in the DPG Registry–funding should flow back to projects proportional to the size of the deployment, for as long as the software is in use. Not funding DPG maintenance and innovation is currently problematic and only getting worse.

Two: Digital Identity Accessibility

When rolling out a citizen identity infrastructure, governments should try to meet people where they are. Not everyone has a smart phone or laptop. In some cases, a smart phone is a shared resource in a family or community. A piece of paper might be the only affordable way to connect a person to the digital economy.

But digital identity is a moving target. Governments need to “skate to where the puck is going” (to use a hockey analogy…). Changing the culture of digital identity takes years. Governments need to make investments to take advantage of technology that is on the cusp of mainstream adoption. And even if these capabilities are not widespread at the moment, early experience can provide valuable feedback to inform the technology roadmap.

And finally, we need to remember that digital identity by itself is useless. Value is derived from the presentation of digital identity to obtain services, and consumption of the digital identity by local and national governments and the private sector. Creating a trusted digital ecosystem requires a deliberate outreach effort. More countries should look to Singapore’s effort to sign up hundreds of businesses to accept Singpass, their national digital identity federation. If you want more adoption of citizen identity, make it more valuable to citizens!

Three: Architecture Maturity

Western governments are not exactly paragons of successful digital transformation. As an American, I sometimes wonder why Google can authenticate me, but my own government cannot. Open banking in the United States is unlikely any time soon. Renewing a driver license online in my home state of Texas reminds me what ecommerce was like in the 90’s. Are we really in a position to advise on how to build a government technical stack?

For this reason, I think we need to approach the challenge with a bit more humility. Some of the experience we have from the private sector is relevant. But at the same time, there are still many unknowns–stuff we haven’t done, and stuff that might be different in a government context–especially a government that serves people with different cultures.

I like the idea of a “GovStack”, but it has to be flexible enough to adapt to changing local contexts, lessons learned, capacity constraints, and continued innovation. The DPGA can help catalyze the community to share best practices and lessons learned. We’re all in learning mode and dealing with unprecedented rate of change in the information technology space.

Four: Schedule

One point Yodahe Zemichael made in his introductory keynote was that to build a digital economy, there was a missing meta-infrastructure: a need to bring all the small pieces together. Because I hang out with a lot of engineers, I have a great appreciation for these “little things” that normal people take for granted. It’s really hard to build a digital service that is high performance, high integrity, and highly available. For sovereignty, many countries want to self-host digital public infrastructure. Even most US state and federal governments are relying on cloud providers to minimize much of the technical capabilities–not just compute, persistence, network but higher level services like streaming, caching, key management, and even authorization. And the biggest challenge is not technology–it’s people. It takes years for engineers to get the breadth of experience required to build and operate digital public infrastructure at scale. This is not to say that it’s not important to overcome the activation energy to start–goals like 50 in 5 can help here. But things may take longer then expected–they normally do in information technology projects. We need to focus on long term sustainability. Perhaps our kids may enjoy the benefits of our work, and we may not. From a historical perspective, change in one generation is still fast.